From 7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d Mon Sep 17 00:00:00 2001
From: Staffan Olsson <staffan@repos.se>
Date: Sat, 5 Aug 2017 05:28:56 +0200
Subject: RBAC rights are purely additive so ...

a project like kubernetes-kafka should keep them minimal.
To access nodes we do need ClusterRole instead of Role.
---
 rbac-namespace-default/node-reader.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rbac-namespace-default/node-reader.yml

diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml
new file mode 100644
index 0000000..5054182
--- /dev/null
+++ b/rbac-namespace-default/node-reader.yml
@@ -0,0 +1,26 @@
+# For kubectl get node, required for kafka init container rack awareness
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: node-reader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kafka-node-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-reader
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kafka
-- 
cgit v1.2.3